Data Protection Reform – Next stop: e-Privacy Directive

(This article was originally published at the 24 February 2016 edition of EDRi-gram, the European Digital Rights fortnightly newsletter at: https://edri.org/data-protection-reform-next-stop-e-privacy-directive/ )

Did you think the data protection reform was finished? Think again. Once the agreement on the texts of the General Data Protection Regulation (GDPR) and the Data Protection Directive for Law Enforcement Agencies (LEDP) was reached, the e-Privacy Directive took its place as the next piece of European Union (EU) law that will be reviewed. The e-Privacy Directive (Directive 2002/58/EC on privacy and electronic communications) contains specific rules on data protection in the area of telecommunication in public electronic networks.

................................................................. Support our work - make a recurrent donation! https://edri.org/supporters/ .................................................................

The Directive was first launched as part of the 1999 Communications Review and aimed to provide specific data protection rules for the e-communications sector, following the entry into force of the 1995 Data Protection Directive the previous year. The Directive dropped out of the Review package quite early in the legislative process and was not finally adopted until 2002.

The new instrument needs to cover all online processing of personal data, insofar as not already covered by the GDPR. Not least because of this, the new instrument needs to be enforced by Data Protection Authorities and not Telcoms regulators, as is the case in some EU Member States. It also needs to be updated in relation to the treatment of traffic and location data, as well as other geographical information and how consent is provided in this cases. Location data – even “anonymous” location data – can raise serious security and privacy concerns.

Another element that requires considerable re-thinking is the Directive is the issue of “cookies”. A more consistent and thorough analysis needs to be done on the different types of cookies that exist (tracking cookies, non-tracking cookies, session cookies…) and how to treat them accordingly. The bad joke which consent for cookies have become, have given arguments to anti-privacy/Big Data lobbies for how (meaningless) consent is the new spam. New, clearer rules should have a focus on improving the quality of the (very frequently profoundly misleading) information given to individuals reducing the number of cookie consent requests. Generally, we advise following the recommendations set by the Article 29 Working Party on this point.

The revised instrument should state that the deliberate installation of any piece of software or hardware on any device without the knowledge or consent of the owner of the device is an unauthorised access and/or data/system interference, as defined in the Council of Europe Cybercrime Convention. Another of the topics that cannot be avoided related to the use of encryption in devices. In the new legislation legislators should consider whether attempts to remove encryption, including the installation of “backdoors”, should be explicitly forbidden. Attention to how consent is provided (and revoked) for value-added services and the harmonisation and enforcement of the “national security/pubic order/crime prevention” exemptions is also needed.
The agreed text of the GDPR was the best possible outcome in the current political scenario, bearing also in mind the heavy lobby it received. The revision of the ePrivacy Directive needs not to undermine the good parts of the GDPR while at the same time trying to fix the loopholes it has created. Some lobbies call to “leveling the playing field” in this area, which is not objectionable, as long as the playing field is levelled upwards and to the level set by the GDPR and the case law of the courts in Luxembourg and Strasbourg. That is the playing field and any policy development in this are needs to stay up to those levels of protection.

Directive 2002/58/EC on privacy and electronic communications
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:32002L0058:en:HTML

Article 29 Working Party: Opinion 04/2012 on Cookie Consent Exemption (07.06.2012)
http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf

Data Protection Regulation Update: precise implementation depends on exceptions and Recitals (19.01.2016)
http://amberhawk.typepad.com/amberhawk/2016/01/data-protection-regulation-update-precise-implementation-depends-on-exceptions-and-recitals.html

EU Data Protection Package – Lacking ambition but saving the basics (17.12.2015)
https://edri.org/eu-data-protection-package-lacking-ambition-but-saving-the-basics/

Recommendation No. R (95) 4 on the protection of personal data in the area of personal data in the area of telecommunication services
https://wcd.coe.int/com.instranet.InstraServlet?command=com.instranet.CmdBlobGet&InstranetImage=535549&SecMode=1&DocId=518682&Usage=2

(Contribution by Diego Naranjo, EDRi)

FAQ: Passenger Name Records (PNR)

(Originally published at: https://edri.org/faq-pnr/)

The European Union will adopt soon a Directive on the long-term storage and use of “Passenger Name Records” (PNR) for the purpose of profiling individuals as possible serious criminals or terrorists.

What is a Passenger Name Records (PNR)?

Passenger Name Records (PNR) include information provided by passengers and collected by air carriers for commercial purposes. PNR can contain several pieces of additional information such as dates, itinerary and contact details. All PNR data is stored in airlines’ databases.

PNR was originally intended to be used only as a record that contains the itinerary for a passenger or for a passengers traveling as part of a group. The idea was to allow the exchange of reservation information between airlines in case passengers required using different companies in order to reach their final destination.  The PNR is created when someone books a flight. At that moment, the travel agent or the website managing the trip creates a PNR in a  computer reservation system (CRS).

What kind of data is included?

Passenger Name Records (PNR) now can include every type of data provided by the passengers, such as, but not only, the date of the trip and complete itinerary, the name and contact information, the form of payment, frequent flyer information, meal preferences and medical information. In some cases, the airlines will have access to other data such as hotel bookings, car rentals, train journeys, travel associates, etc.

Optionally, agencies may also require more data, such as fare details, tax amounts paid, the form of payment used, further contact details, age details if it is relevant to the travel, frequent flyer data and special Service Requests.

The full list of data required by the EU PNR Directive is:

  1. PNR record locator
  2. Date of reservation/issue of ticket
  3. Date(s) of intended travel
  4. Name(s)
  5. Address and contact information (t elephone number, e-mail address)
  6. All forms of payment information, including billing address
  7. Complete travel itinerary for specific PNR
  8. Frequent flyer information
  9. Travel agency/travel agent
  10. Travel status of passenger, including confirmations, check-in status, no show or go show information
  11. Split/divided PNR information
  12. General remarks (including all available information on unaccompanied minors under 18 years, such as name and gender of the minor, age, language(s) spoken, name and contact details of guardian on departure and relationship to the minor, name and contact details of guardian on arrival and relationship to the minor, departure and arrival agent)
  13. Ticketing field information, including ticket number, date of ticket issuance and one-way tickets, Automated Ticket Fare Quote fields
  14. Seat number and other seat information
  15. Code share information
  16. All baggage information
  17. Number and other names of travellers on PNR
  18. Any Advance Passenger Information (API) data collected (inter alia document type, document number, nationality, country of issuance, date of document expiration, family name, given name, gender, date of birth, airline, flight number, departure date, arrival date, departure port, arrival port, departure time, arrival time)
  19. All historical changes to the PNR listed in numbers 1 to 18

What does PNR add in terms of prevention of terrorism and transnational crimes to other existing systems?

Nothing. There are other ways to access this type of information. For example, law enforcement agencies and intelligence agencies can require to access PNR data via a court order, following the regular procedures prescribed by law.

Furthermore, other measures that authorities can use to identify subjects who may be involved in criminal activity, such as the Schengen Information System(1), the Visa Information System(2), Eurodac(3) and ECRIS(4)  and API data (Advance Passenger Information).

Is it true that PNR will help to stop terrorists?

No. In many of the recent terrorist attacks the terrorists had already been flagged as people who needed further tracking.  Thus, the attackers from the last terrorist incident in Paris were already known to French authorities and details of their travels were also known (7). An EU PNR Directive would not have brought any more security, only more risks. For example, there have already been cases of people being wrongly labeled on these lists based on profiling schemes and, consequently, handed over to repressive regimes and tortured (8).

Rather than creating new surveillance measures, the EU should look for more active and effective cooperation between law enforcement agencies in the EU(5)(6).

Has the EU PNR Directive been proved to be effective, proportionate or necessary?

No. The Directive is being adopted despite concerns raised by the Fundamental Rights Agency (FRA), the European Data Protection Supervisor (EDPS) and Article 29 Working Party. A study undertaken for the Council of Europe explained that “no serious, verifiable evidence has been produced by the proponents of compulsory suspicionless data collection to show that data mining and profiling by means of the bulk data in general, or the compulsory addition of bulk PNR data to the data mountains already created in particular, is even suitable to the ends supposedly being pursued –let alone that it is effective”.(9)

However, the supporters for PNR seem to follow the unquestioning belief that any form of long-term data storage – including PNR – will be valuable.

What is EDRi’s view on PNR systems?

The right to privacy and the right to data protection are fundamental rights. They are not just a social convention, but legally enforceable rights, enshrined in the Treaties, laws and the Charter of Fundamental Rights. In line with the Charter of Fundamental Rights, infringements of fundamental rights (by long-term storage of such data) are only permissible if they “genuinely meet objectives of general interest”. PNR does not respect this principle.

What are the main problems of the EU PNR proposal?

  • Unlawful Blanket Data Retention: After the European Court of Justice ruling that the invalidated the Data Retention Directive, it is difficult to believe that the current PNR proposal would be considered lawful.
  • Excessive Data Retention Period: Even if the retention of data would be considered legitimate, in the PNR context the proposed five-year period significantly longer than could be reasonably deemed as necessary or proportionate. In the European Court hearing on data retention, neither the European Commission nor the individual Member States were able to give any justification for the retention periods demanded.
  • Lack of concrete protections from arbitrariness: In the text, it is unclear how the profiling will be done.
  • There are existing measures (VIS(10), SIS(11) and API(12) which already provide sufficient information: There is no evidence on whether another system would be needed.
  • Lack of evidence showing that these measures are effective, necessary and proportionate in the investigation or prevention of serious crimes: From the European Commission’s own impact assessment (13), there is no concrete evidence on the actual usefulness of PNR collection for the tackling of serious crime or terrorist offences. It is particularly worrying that the European Commission states in its proposal that “PNR data is unverified information provided by passengers” (14) while remaining convinced – despite their questionable accuracy – it could be used in real time “to prevent a crime”.
  • Lack of proportionality: Fundamental Rights Agency (FRA), the European Data Protection Supervisor (EDPS) and Article 29 Working Party agree on the lack of proportionality of the proposal. The proposed EU PNR system foresees data collection and analysis for all passengers on international flights without any sort of targeting.
  • Excessive costs: Transposing such Directive will bring significant costs for Member States. The high expenditure is confirmed by the European Commission’s impact assessment, which put the cost at hundreds of millions of euro.

Twitter_tweet_and_follow_banner


1 http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/borders-and-visas/schengen-information-system/index_en.htm

2 http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/borders-and-visas/visa-information-system/index_en.htm

3 http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/asylum/identification-of-applicants/index_en.htm

4 http://ec.europa.eu/justice/criminal/european-e-justice/ecris/index_en.htm

5 http://www.euractiv.com/sections/justice-home-affairs/verhofstadt-calls-creation-eu-intelligence-agency-319630

6 http://www.statewatch.org/news/2009/apr/ep-study-leas-exchange-info-data.pdf

7 http://www.dailymail.co.uk/news/article-3320070/The-deadly-blunders-run-Paris-terrorist-centre-international-manhunt-stopped-released-French-police-Belgian-border-hours-deadly-attacks.html

8 http://www.coe.int/t/dghl/standardsetting/media/cdmsi/Rule_of_Law_Internet_Digital_World.pdf

9 https://www.coe.int/t/dghl/standardsetting/dataprotection/TPD_documents/T-PD%282015%2911_PNR%20draft%20report%20Douwe%20Korff%20&%20Marie%20Georges_15%2006%202015.pdf

10 http://europa.eu/legislation_summaries/justice_freedom_security/free_movement_of_persons_asylum_immigration/l14517_en.htm

11 http://ec.europa.eu/dgs/home-affairs/what-we-do/policies/borders-and-visas/schengen-information-system/index_en.htm

12 http://www.icao.int/Security/FAL/Documents/2010%20API%20Guidelines%20Final%20Version.ICAO.2011%20full%20×2.pdf

13 European Commission impact assessment on the proposal for an EU PNR Directive: http://ec.europa.eu/smart-regulation/impact/ia_carried_out/docs/ia_2011/sec_2011_0132_en.pdf

14 Commission proposal for a Directive on the use of Passenger Name records, Page 3: http://ec.europa.eu/home-affairs/news/intro/docs/com_2011_32_en.pdf

From copywrong to copyright?

(Originally published as an ENDitorial at EDRi gram 13.11, 3 June 2015: https://edri.org/enditorial-copywrong-copyright/)

Picture by Stacey: https://www.flickr.com/photos/geekgirlunveiled/4818412527/ CC license CC BY-ND 2.0

Picture by Stacey: https://www.flickr.com/photos/geekgirlunveiled/4818412527/
CC license CC BY-ND 2.0

“I’ve got two 12-year-old criminals in my kitchen and that can’t be right”

(Jonathan Worth, professional photographer)

The first round of debates surrounding the copyright reform in the European Parliament are reaching their last stages. Pavel Svoboda’s report on Intellectual Property Right (IPR) enforcement was published on 19 May. The report contains a mixture of negative and positive elements which need to be taken into consideration.

Among the negative aspects, we find simplistic statements, for example that IPR infringements discourage growth (Recital D). In reality, the situation is far more nuanced. For example, while the slow adaptation of the music industry to the digital environment has driven a lot of infringements, the market has adapted. Income from concerts is, in fact, growing in the last years. The omnipresent mantras of “follow the money” and “commercial scale” are now happily together in the same paragraph (paragraph 3), still without a clear definition of what these concepts imply. Nobody has sought to define “follow the money” while even the European Commission has said that its 9-year-old definition of “commercial scale” is probably inadequate.

Then, all sprinkled through the Report, there is positive commentary to the generally lamentable work of the Observatory on IPR infringements. Taking into consideration the numerous flaws of much of the output of the Observatory, the gratuitous fawning and, even worse, the calls to use its work to build upon it a new “Intellectual Property” legal framework, seems misplaced and ill-informed to say the least. There is also a mention of the “lack of awareness” of the young generation of the importance of IPR infringements, referring to a study which does not actually say that. It also seems to ignore the results of the copyright consultation where thousands of users called for a Intellectual Property (IP) framework adapted to the 21st century. Finally, the call for “cooperation” of the main Internet stakeholders, which sounds too much like the same old call to privatised law enforcement and the undefined call to “follow the money”.

Among the positive elements, the Report presents calls for balances between fundamental rights and privatised law enforcement (paragraph 10), although it is not clear what this call actually means. There is also the support for attractive licit offers to combat unauthorised use of content (paragraph 37) and for a “comprehensive legal framework to combat IPR infringement adapted to the online environment, with full regard for fundamental rights and freedoms, fair trials, proportionality and data protection” (paragraph 57). Finally, the Report asks for measures “guaranteeing a balanced approach representing the interests of all stakeholders involved, and, in particular, of consumers and their right of access to content” (paragraph 58).

The Plenary of the European Parliament will vote on the Report in the week beginning 7 June.

Julia Reda’s Report on the implementation of the so-called InfoSoc Directive (one of the foundations of EU Copyright law), on the other hand, has been delayed and is now going to be voted in the European Parliament Committee on Legal Affairs (JURI) on 16 June. The recently launched copywrongs.eu website contains a good summary of concrete proposals on the harmonisation of exceptions and limitations and for a modernised EU Copyright framework. This new framework should be one where the vast majority of citizens are not considered as offenders of intellectual property rights for doing things that seem (and are) perfectly normal, such as private copying or re-using copyrighted material for parody purposes. The copywrongs site also offers a free user-friendly tool developed by EDRi observer La Quadrature du Net to call Members of European Parliament (MEPs) to let them know your position on the debate.

Given the immense disproportion between rightsholders’ lobbyists and civil society advocates, this tool will help to amplify citizens’ voice. Since there are only a few days before the vote, the time is to get informed via our handbook on copyright and via copywrongs.eu and to take action now for a modernised EU copyright framework!

Copywrongs.eu
https://copywrongs.eu/

EDRi’s document pool on the copyright reform
https://edri.org/copyright-reform-docpool/

Summary report of the responses to the copyright public consultation (30.06.2014)
https://edri.org/summary-report-responses-copyright-consultation/

Economists say P2P file-sharing fuels art (18.06.2009)
http://www.theregister.co.uk/2009/06/18/harvard_working_paper_weak_copyright_protections_benefit_society/

Copyright in the age of the internet (EP video)
http://europarltv.europa.eu/en/player.aspx?pid=97a32df5-0d5f-435b-b573-a49f00a8f175

EDRi paper: Copyright – challenges of the digital era
https://edri.org/wp-content/uploads/2013/10/paper07_web_20130202.pdf

C4C Copyright Manifesto
http://copyright4creativity.eu/wp-content/uploads/2015/01/C4C-Copyright-Manifesto-20150119.pdf

(Contribution by Diego Naranjo, EDRi)

“We still need to watch you, really”: PNR back in the Parliament

(Originally published at EDRi’s website:  https://edri.org/pnr-back-in-the-ep/)

fPNR

Despite the decision of the European Parliament to refer the EU-Canada PNR agreement to the Court of Justice of the European Union (CJEU) in December 2014, the urge to keep increasing surveillance citizens’ movements across Europe seems to be irrepressible. Timothy Kirkhope, Rapporteur (MEP in charge) of the Fight against terrorism and serious crime: use of passenger name record (PNR) data (procedure file 2011/0023(COD) ), is again launching the EU PNR proposal in the European Parliament, after it was rejected by the Parliament’s Civil Liberties Committee in 2013.

What is PNR?

Passenger Name Records (PNR) are data containing information provided by passengers and collected by air carriers for commercial purposes. This can contain several pieces of information such as dates, itinerary and contact details. All PNR data is stored in airlines’ databases.

What kind of information do they contain?

  • Date of the trip and complete itinerary,
  • Name and contact information,
  • Form of payment,
  • Frequent flyer information,
  • Meal preferences,
  • Medical information,
  • Disabilities,
  • Non-flight matters administered by the airline, such as hotel bookings, car rentals, train journeys, travel associates, etc.

Many of these types of data can be used and aggregated to build profiles. For instance, meal preference can provide information about religious affiliation, hotel reservations can indicate passengers’ personal relationships, etc. Mr Kirkhope suggests comparing the PNR database against other databases, presumably to generate such extra data.

How will this information be used under the proposed EU PNR Directive?

The passenger data of all flights from or to the European Union could be processed for the purposes of the prevention, investigation and prosecution of serious crime, serious transnational crime and terrorist offences. However, the definitions in the Directive are so unclear that Member States are given the option of excluding “minor offences” that they cover. All passenger data would be retained by specific Passenger Information Units (PIU) up to five years (or five and a half years, if being stored by the Australian authorities under the bilateral EU/Australian agreement… or 15 years, if being stored by the US authorities under the bilateral EU/US agreement). Moreover, the proposal foresees the possibility to broaden the scope of the PNR directive by including internal European flights, a measure that Mr Kirkhope wants to introduce immediately.

What are the main problems of the EU PNR proposal?

  • The ruling of the EU’s court, the Court of Justice concerning the invalidation of the Data Retention Directive: The analysis provided in that ruling makes it difficult to believe that the current PNR proposal would be considered lawful
  • Excessive Data Retention Period: Even if the retention of data in the PNR context was considered necessary and proportionate, the proposed storage period excessive and lacking any meaningful justification
  • Lack of concrete protections from arbitrariness: In the text,it is unclear how and when data will be processed (prevention of badly defined “serious crime”). There are existing measures (VIS, SIS and API) which already provide a great deal of information. There is no evidence another system would be needed.
  • Lack of evidence showing that these measures are effective, necessary and proportionate in the detention or prevention of serious crimes.From the European Commission impact assessment, there is no concrete evidence on the actual usefulness of PNR collection for the tackling of serious crime or terrorist offences. In this regard, it is particularly worrying that the European Commission states in its proposal that “PNR data is unverified information provided by passengers” while remaining convinced – despite questionable accuracy – it could be used in real time “to prevent a crime”.
  • Lack of proportionality: The Fundamental Rights Agency, the European Data Protection Supervisor, and the Article 29 Working party  (most recently here) agree on the lack of proportionality of the proposal. The proposed EU PNR system foresees data collection and analysis for all passengers on international flights without any sort of targeting.
  • Excessive costs: Transposing such Directive will bring significant costs for Member States. The high expenditure is confirmed by the controversial call for proposal of 50 million euros issued by the European Commission to build PNR systems in several Member States. These funds were made available even though the legislation has not been agreed.

We have sent a letter to members of LIBE, and prepared a briefing paper and an analysis of the proposal. It is time to call and write your MEPs and let them know why this proposal needs to be rejected again.

You can also support our crowdsourcing campaign to produce postcards that will be sent to MEPs in order to make them aware of the risks of this proposal for the fundamental rights of citizens.

 

PNR_postcards_20150324

One minority we need to keep an eye on

In the discourse of protection and respect of minorities, there is one group we might want to  re-think our otherwise “good manners”. The minority I am thinking about has been a nomadic one for centuries, although lately they are settling more on the outskirts rather than in the center of our cities. Their  origins and their ethnicity and racial features define them as a specific and  homogeneous, and they are easily recognizable. Sometimes, the terrain in which they place their homes used to be publicly owned and, because of the pressure this group is able to make, becomes private de facto or de iuris.

They tend to pay less taxes than the majority of us. They benefit of the welfare system in many ways but they contribute less to it (if something at all) than the average citizens.

Socially, it is a group that finds difficult to be integrated in the society. They wear special clothes, they listen to the music which represents their group, they commit violent crimes that most of the times go unpunished and they are cynical enough to pretend to be subjects of victimization. Being around the 0.01% of the society, they have a vast control on all of us. With all this in mind, I think there is a minority which is increasingly dangerous and need to be less cautious when saying these things. As Susan George said, “let´s beat the bastards“.